Security+ 3 Flashcards
RSA : asymmetric encryption, to create keys user selects 2 very large prime numbers and those prime numbers are used to create the keys. Then after mathematical computations RSA generates a public/private key. Sender encrypts messages using recipients public key, recipient decrypts messages using their own private key. RSA is slow and not usually used for long messages, but more commonly used when systems want to exchange symmetric keys. RSA patent is expired, has variable key length of 1,024-4,096 bits and is considered secure.
info …
PGP : uses public/private keys and combines symmetric/asymmetric cryptography. GnuPG free version of PGP.
ECC = uses EC discrete log problem. EC cryptography doesnt protect against quantum attacks.
Quantum Cryptography : may be stronger than any modern approach.
Tor : software package using encryption and relay nodes to facilitate anonymous internet access.
Perfect Forward Secrecy : a piece of an encryption system automatically and frequently changes the keys it uses to encrypt and decrypt information, such that if the latest key is compromised, it exposes only a small portion of the user’s sensitive data.
info …
Out-of-Band Key Exchange : exchanging of keys in some way that they both trust that uses a different communications channel. Could meet in person, physical mail, telephone call key exchange etc …
In-Band Key Exchange : exchange secret key over network even if people dont have secure way to communicate with each other in advance (securely exchange keys digitally).
Diffie-Hellman Algorithm : symmetric key exchange capability.
Encryption Key Escrow : allows govt. access to keys.
Recovery Agents : allows internal access to lost keys.
info …
Key stretching : takes relatively insecure value like password and uses math techniques to strengthen it making it harder to crack. Using Salting (adds a value to encryption key to make it more complex) and uses hashing. PBKDF2 : uses salting and hashing to stretch key and should be used at least 4K times. bcrypt : key stretching with blowfish.
info …
HSMs : manage encryption keys and perform cryptographic operations. FIPS Security Levels : Level 1 = standard OS’s no physical security, Level 2 = EAL2 software/firmware, tamper-evident seals, Level 3 = EAL3 software/firmware, tamper-resistant controls, Level 4 = EAL4 software/firmware, strict physical security.
Asymmetric Cryptography : users dont need to share their private keys, users can and should share their public keys freely, eavesdropping isnt likely during key exchange, but still need to prevent imposters (who is it really sending the keys?).
info ….
Trust Models : personal knowledge, WOT (Web of Trust) relies on indirect relationships like people on linkedIn you have a connection and know someone that knows someone etc - participants digitally sign the public keys of people they know personally, but has decentralized approach and high barrier to entry and requires technical knowledge, PKI …
PKI : depends on highly trusted certificate authorities (CAs). CA = trusted 3rd party org.’s that verify identity of users or org.’s and then issues digital cert.’s containing both identity info. and copy of subjects public key.
info …
Hash Function : one-way functions cant be reversed, output of hash function will always be same length regardless of input size (depends also on type of hash encryption being used), no 2 inputs to hash function should produce same output. MD5 : produces 128-bit hashes, no longer secure. SHA-1 : 160-bit hash (not secure), SHA-2 : produces output of 224/256/384/512 bit hashes (not secure), SHA-3 : produces hashes of user-selected fixed length. RIPEMD : produces 128/160/256/320 bit hashes (128 no longer considered secure, but 160 is).
info …
HMAC : combines symmetric cryptography and hashing, provides authentication and integrity, create and verify message authentication code by using a secret key in conjunction w/a hash function.
Digital Signatures : use asymmetric cryptography to achieve integrity, authentication and non-repudiation. Uses private key to create digital signature.
Approved DSS Algorithms : DSA algorithm, RSA algorithm, ECDSA algorithm (all are considered secure).
Revoke a Digital Certificate = CRL : includes serial numbers of revoked cert.’s,
OCSP : provides real time cert. status verification.
Certificate Stapling : reduces CAs burden …
info …
Self-Signed Certificates : org. sets up own CA and uses it to generate its own cert.’s but not trusted by outside world but can be used for internal purposes. Cert.
Chaining : allows the use of trusted 3rd party for org. which allows org. to create CAs which are trusted by external users. The internal CA is known in this case as an intermediate CA. Offline CAs : protect sensitive root keys.
Cert. Subject : owner of public key. Cert. Subjects : servers = web, SSH, file, email etc, devices = SANs, routers, switches, VPNs, access points etc, Individuals = names, email addresses, Developers = for code signing.
info …
Object Identifiers (OIDs) : sort of look like IP addresses used to uniquely identify each element of a digital cert., can help trace back origin of digital cert. and its components.
Cert. Pinning = tells users that they shouldnt expect a Cert. to change. Also ties a cert. to a subject for a period of time.
Root Cert.’s : protect CA private keys.
Wildward Cert.’s : cover whole domain. Commonly used for load balancers and other devices that must match many different domain names.
info …
